This news update is designed to provide general information on pertinent legal topics. Holland & Hart, 800 W Main Street, Suite 1750, Boise, ID 83702 If an authorization is required, HIPAA prevents providers and business associates from using or disclosing more PHI than is allowed or in a manner that is different than as stated in the authorization, so providers should ensure that the authorization is broad enough to cover the requested use or disclosure, including any disclosure of oral information in addition to records.ģA limited exception allows an authorization for the disclosure of research information to be combined with a consent to participate in the research 45 CFR 164.508(b)(3)(i).įor questions regarding this update, please contact The provider must retain a copy of the authorization for six years. 10 The provider is not required to give a copy if the patient initiated the authorization. If the provider is requesting the authorization from the patient, the provider must give the patient or personal representative a signed copy of the authorization. 9 For patients with limited English proficiency, the provider may need to translate the authorization for the patient. The authorization must be written in plain language. The authorization and its required elements must be completely filled out, i.e., there should be no blanks concerning the required terms. If the authorization is to permit the use or disclosure of PHI for purposes of marketing (as defined by HIPAA) or the sale of PHI, and the provider will receive remuneration for the PHI, the authorization must notify the patient that the provider will receive the remuneration. The information disclosed per the authorization may be subject to redisclosure by the recipient and no longer protected by HIPAA.The provider generally may not condition its healthcare on the provision of the authorization except (i) for research-related treatment, or (ii) if the purpose of the healthcare is to create information for disclosure (e.g., an employment physical or independent medical exam), in which case the provider may refuse to provide the healthcare if the patient refuses to execute an authorization.The patient or personal representative has the right to revoke the authorization at anytime by submitting a written revocation except to the extent the provider has taken action in reliance on the authorization.The authorization must also contain certain required statements regarding patient If the authorization is signed by the personal representative, a description of the personal representative’s authority to act for the patient.The date and signature of the patient or the patient’s personal representative.An expiration date or event that relates to the patient or the purpose of the use or disclosure (e.g., “until completion of the litigation.”).If the patient initiates the authorization, a statement that the disclosure is “at the request of the individual” is sufficient. A description of each purpose for the requested use or disclosure.The name or identification of the person(s) or class of person(s) to whom the provider may make the requested use or disclosure.The name or specific identification of the person(s) or class of person(s) authorized to make the use or disclosure.A description of the PHI to be used or disclosed that identifies the PHI in a specific and meaningful fashion.The authorization must contain the required “core elements” 5. 3 An authorization to use or disclose psychotherapy notes may not be combined with an authorization to disclose other forms of PHI. The authorization may not be combined with any other document such as a consent for treatment. To be valid, a HIPAA authorization must satisfy the following 2: 1 Many if not most authorizations received by providers are invalid. The HIPAA privacy rules generally prohibit healthcare providers and their business associates from using or disclosing protected health information (“PHI”) unless (1) they have a valid written HIPAA authorization signed by the patient or the patient’s personal representative, or (2) a specific regulatory exception applies.
0 kommentar(er)
